Are You Up to Speed on Provisioning Tools?

Provisioning is stirring up both buzz and confusion these days. Just what
is provisioning, anyway? Generally speaking, tools in this emerging
category automate the creation, maintenance, and deletion of user accounts,
passwords, and access rights. Otherwise, tasks like these can take up tons
of time for network managers and other IT staff.

Until recently, the biggest reasons to bother with provisioning revolved
around streamlining operations and cutting costs, particularly in the area
of password administration. At UtiliCorp United, for example, 20 percent of
all service desk calls were once related to forgotten or expired passwords.
By implementing Courion Corp.'s tools, the utility firm has done away with
an estimated 1,000 phone calls per month from frustrated end users.

Increasingly, though, security is emerging as an even more potent driver
for provisioning products. "There's been a change in justification,"
asserts Chris King, an analyst at the Meta Group. When they talk to
business decision-makers, more IT folks are citing security, rather than
improved service levels, as a rationale for buying the tools, adds King.

For one thing, the massive layoffs of the past year, coupled with security
fears about employee disgruntlement, are raising pressures on network
managers to shut down accounts of terminated staffers as soon as they get
the boot.

"Rapid user turnover leaves orphaned (or "ghost") user accounts and their
privileges active, exposing the organization to insider and outsider
attacks. (To close the accounts), the same data must be entered manually in
many places, and errors are easily made," according to a recent report by
Gartner Group.

Moreover, some organizations, such as schools, must create and delete large
volumes of user accounts on an ongoing basis. "We have a couple of thousand
people come in every fall, and a couple of thousand people leave every
spring. It takes a lot of time and effort to get all those accounts
generated and maintain them during the year," says Gary Haberman, director
of technical resources at Widener University.

Widener is now deploying eProvision Day One, a provisioning system from
Business Layers. Before that, though, the university employed two full-time
people strictly for creating and maintaining accounts for its Unix and
Novell systems.

"There were other problems with this approach beyond just consuming
resources. For example, the university couldn't issue individual log-ins to
laboratory computers because was no way to generate accounts fast enough.
So, generic log-ins, similar to a 'guest' account, were used, making it
impossible to determine who was logged in when an incident occurred. These
incidents could range from a system crash to a more serious security breach
involving access to sensitive files," according to Haberman.

Sensing bright opportunities, vendors are converging on the provisioning
arena from all over the map. This adds up to more options for customers.
"The value proposition for user provisioning is easy: automated, secure,
self-service routines to replace manually intensive, insecure processes
fraught with problems," summed up analysts from the Hurwitz Group, in
another recent report.

With so many provisioning products hitting the market, though, network
managers can find it tough to tell them all apart.

Ancestors of the new generation tended to be point solutions for password
management or access rights, for instance. Courion first released a
password administration product called Password Courier way back in 1996.
After that, though, the vendor added Profile Courier, Certificate Courier,
and Account Courier. Courier's tools are now meant to extend identity
management all across the "user life cycle," up to and including the user's
departure from the organization.

Other smaller software vendors are specializing in provisioning, too. Aside
from Courion and Business Layers, these include Access360 and Waveset, for
example. Meanwhile, giants like Novell, Computer Associates, and IBM Tivoli
are stepping into the fray, as well. Like Courion, some of these other
players use the term "identity management" instead of "provisioning,"
confusing matters for customers even more.

Administrators, though, can differentiate among these tools along several
dimensions, industry observers say. To begin with, some products use role-based
authentication (RBA), whereas others do not, according to the Meta
Group's King.

With role-based products, administrators can assign access rights according
to designated roles. Novell and Business Layers are a couple of vendors
that enable this approach, for instance.

"The eProvision Day One program provides a way to automatically set up,
maintain, and delete (computer accounts) so that everyone gets access to
what they need according to their profile - a group of attributes for
network rights and e-mail that the university creates for students,
faculty, staff, and graduate students," says Widener University's Haberman.

"RBA isn't for everyone, though," King contends. Assignment of roles by
administrators can "get sticky," for instance, when the end users are
knowledge workers, according to the analyst.

In another point of distinction, some tools take a centralized approach,
whereas others support distributed provisioning, as well. Under the
distributed approach, an administrator might perform some provisioning
responsibilities from the data center, while delegating out other tasks,
such as password management. Alternatively, the administrator might decide
to delegate all provisioning functions to one or more co-workers.

Provisioning products also differ in terms of degree of integration with
outside software products. User account information can be stored in many
different places on the network, ranging from LDAP directories to SQL or
proprietary databases, for example. At this point, vendors typically use
point-to-point connectors and proprietary APIs to link their provisioning
tools to third-party software.

An upcoming toolkit for educational applications, however, will include a
driver for the Students Interoperability Framework (SIF), as well as a
connector to SCT's Banner software. Codenamed "Gemini" and slated for
release later this year, the educational kit is targeted at both the K-12
and university marketplaces.

Skehan adds, though, Novell's toolkits will also differ along two other
lines: default policies and end user presentation. "We're going to use a
different user interface to show the school environment, as opposed to
bosses and employees," he says.

Still, integration can be an extremely complex issue, depending on the
nature of the implementation. Novell Consulting, for example, operates a
very active provisioning practice for large enterprises, inherited through
Novell's acquisition of Cambridge Technology Partners (CTP). Some other
consulting firms, such as ePresence, focus exclusively on provisioning.

Down the road, however, integration might get considerably easier, thanks
to an emerging standard from OASIS. Last year, the standards group launched
a Provisioning Services Technical Committee, which is now developing an XML-based
framework called Service Provisioning Markup Language (SPML).

SPML is supposed to define standard ways for exchanging information between
multiple provisioning systems, as well as between the provisioning system
and the users and resources being managed.